100 

INTERCEPT AN ACCESS ATTEMPT TO A PROTECTED 
RESOURCE 
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COMPARE THE ACCESS AT 
SET OF ALLOWABLE ACCES5 
IF THE ACCESS ATTEMF 
PREVIOUS ALLOWAB 
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TEMPT TO A PREEXISTING 
5 ATTEMPTS TO DETERMINE 
T CORRESPONDS TO A 
LE ACCESS ATTEMPT 




103 

DISALLOW DATA 
ACCESS ATTEMPT 



YES 



104 

SELECTIVELY PERMIT, BASED ON THE COMPARISON, 
ACCESS TO THE PROTECTED RESOURCE ACCORDING 
TO THE ACCESS ATTEMPT 



105 

ADD, IF THE ACCESS ATTEMPT IS PERMITTED, THE 
ACCESS ATTEMPT TO THE SET OF ALLOWABLE ACCESS 

ATTEMPTS 



Fig. 2 



200 

DEFINE AN ACCESS POLICY HAVING A PLURALITY OF 
ACCESS RULES, THE ACCESS RULES INDICATIVE OF 
ALLOWABLE ACCESS, WHEREIN THE PREEXISTING SET 
OF ALLOWABLE ACCESS ATTEMPTS CORRESPOND TO 
ONE OF THE PLURALITY OF THE RULES 






202 


> ► 


STEP 230 




FIG 7 



203 

INTERCEPT AN ACCESS ATTEMPT TO A 
PROTECTED RESOURCE 



204 

COMPUTE, BASED ON ITERATIVELY APPLYING 
THE ACCESS RULES TO THE ACCESS ATTEMPT, 
AN ACCESS RESULT INDICATIVE OF WHETHER TO 
ALLOW THE ACCESS ATTEMPT 



206 
ITERATIVELY 
APPLY NEXT 
RULE 



209 
DENY 

ACCESS 




BASELINE 



Fig. 4 
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210 

COMPARE THE ACCESS ATTEMPT TO A PREEXISTING SET OF 
ALLOWABLE ACCESS ATTEMPTS TO DETERMINE IF THE ACCESS 
ATTEMPT CORRESPONDS TO A PREVIOUS ALLOWABLE ACCESS 

ATTEMPT 



211 

ESTABLISH A BASELINE OF ALLOWABLE ACTIVITY, THE BASELINE 
INDICATIVE OF AN ACCEPTED SET OF ALLOWABLE ACCESS 

ATTEMPTS 
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> ► 


STEP 250 


FIG. 8 



214 

COMPARE THE ACCESS ATTEMPT TO PREEXISTING ACCESS ATTEMPTS BY 
DETERMINING A STRUCTURE OF THE ACCESS ATTEMPT CORRESPONDING TO 
SYNTACTICAL ARRANGEMENT OF THE ACCESS ATTEMPT 



215 

BUILD A PARSE TREE FROM THE PARSING, THE PARSE 
TREE INDICATIVE OF A SYNTACTICAL STRUCTURE OF 
THE DATA ACCESS ATTEMPT 



I 



216 

INCLUDES STRUCTURE OF THE ACCESS ATTEMPTS IN BASELINE, 
AND AVOID INCLUDING DATA VALUES OF THE DATA ACCESS 
ATTEMPTS DERIVED FROM BY COMPARING THE DETERMINED 
STRUCTURE OF THE ACCESS ATTEMPT INDEPENDENTLY OF THE 
DATA VALUES IMPLICATED IN THE ACCESS ATTEMPT 



Fig. 5 
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217 

COMPUTE A HASH VALUE FROM THE PARSE TREE, AND COMPARING THE 
HASH VALUE TO THE HASH VALUES OF PREVIOUS ACCESS ATTEMPTS 



218 

COMPARE A HASH VALUE DERIVED FROM THE DETERMINED 

STRUCTURE 



219 

CORRESPONDING ACCESS ATTEMPTS DEFINE A SIMILAR PATTERN 

OF ACCESS STRUCTURES, THE ACCESS STRUCTURES 
DETERMINED BY TABLES AND FIELDS AFFECTED BY THE ACCESS 

ATTEMPT 



221 

DISALLOW DATA 
ACCESS ATTEMPT 




YES 

1 



222 

SELECTIVELY PERMIT, BASED ON THE COMPARING, 
ACCESS TO THE PROTECTED RESOURCE ACCORDING 
TO THE ACCESS ATTEMPT 



Fig. 6 



i 



230 

IDENTIFY A PLURALITY OF ALLOWABLE ACCESS ATTEMPTS 







231 

PROCESS THE SERIES OF ALLOWABLE ACCESS ATTEMPTS TO 
DETERMINE RELATED GROUPS OF ALLOWABLE ACCESS 
TRANSACTIONS 







232 

INFER, BASED ON OBSERVABLE PATTERNS IN THE 
ALLOWABLE ACCESS ATTEMPTS, ACCESS RULES INDICATIVE 
OF THE PLURALITY OF ALLOWABLE ACCESS ATTEMPTS 
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1 





233 

SUGGEST, BASED ON A COMMONALITY OF THE PROCESSED 
GROUP OF ALLOWABLE ACCESS ATTEMPTS, AN ACCESS RULE 
INDICATIVE OF EACH OF THE SERIES OF ALLOWABLE ACCESS 

ATTEMPTS 




236 

ADD, IN RESPONSE TO OPERATOR INPUT, THE SUGGESTED 
ACCESS RULE TO THE ACCESS POLICY 



Fig. 7 



250 

IDENTIFY PREEXISTING SET OF ALLOWABLE ACCESS ATTEMPTS INCLUDING A 
CURRENT BASELINE REPRESENTATIVE OF A WINDOW OF ACCESS ATTEMPTS 



251 

MODIFY THE CURRENT BASELINE BY INCLUDING ACCESS 
ATTEMPTS FROM A DIFFERENT WINDOW OF ACCESS ATTEMPTS 



I 



252 

IDENTIFY A SAMPLING WINDOW OF ACCESS ATTEMPTS, THE SAMPLING WINDOW 
DETERMINISTIC OF ALLOWABLE ACCESS PATTERNS TO THE PROTECTED RESOURCE 



253 

STORE AN INDICATION O THE ACCESS ATTEMPTS MADE DURING THE WINDOW OF 

ACCESS ATTEMPTS 



254 

VERIFY THAT THE ACCESS ATTEMPTS IS INDICATIVE OF ALLOWABLE 

ACCESS BEHAVIOR 



255 

COMPARE A SENSITIVITY THRESHOLD INDICATIVE OF A SERIES OF 
CORRESPONDING ACCESS ATTEMPTS DEFINING A BENIGN PATTERN 




257 

GET NEXT DATA 
ACCESS ATTEMPT 



YES 



258 

SELECTIVELY ADD, BASED ON THE VERIFYING, THE ACCESS 
ATTEMPTS TO THE BASELINE OF ALLOWABLE ACCESS ATTEMPTS 



I 



259 

MERGE THE WINDOW OF ACCESS ATTEMPTS WITH A CURRENT 
BASELINE SET OF ACCESS ATTEMPTS, THE CURRENT BASELINE 
DEEMED DETERMINISTIC OF ALLOWABLE ACCESS BEHAVIOR 



Fig. 8 
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